Using WebCrypto API to generate a KeyPair

The other day, I was using my chromebook and I needed to generate a keypair to get access to a new ssh server. I googled for a solution, but surprisingly I couldn't find one. Though I was pretty sure that the WebCrypto API would allow me to do easily, it turned out it's not as easy as I thought and it took me a couple days to actually figure out how to use the webcrypto API to achieve this specific goal, though this was mostly due to my blissful ignorance of ASN.1 encoding, JWK, base64url and openssh weird public key format.

Of course the first point of reference should be the the actual W3C spec. But this document is a bit too abstract and I found it hard to actually use the API from the spec.

Then I found a WebCrypto live table that tells me if my current browser actually support the API. Since some of those use native libraries, the Chrome on ChromeOS would have different support as the Chrome on other OSes.

We also need to keep in mind that the WebCrypto api is only available from secure locations. Luckily the file url is counted as a secure location, so it makes it easy to experiment from there. And surge.sh does host under https so that will be my provider of choice to host the end result.

On an OS with support for openssh we have the nifty utility ssh-keygen which allows to generate a keypair that can be used with ssh - which is exactly what we need.

So we have to figure out which algorithm to use, then use it with the appropriate parameters, then find a way to expose the public key and the private key. Ideally save the private key to a file and copy the public key.

The WebCrypto api is based on promises for the async work, so you will need to be vaguely familiar with promises to be able to read the code.

I am forever grateful to Converting OpenSSH public Keys for explaining the format used by OpenSSH public keys.

I also had to use a lot of google-fu to find out how to ASN.1 encode the JWK produced for the private key by the WebCrypto API in format that will be accepted by openSSH. Thanks to Lapo Luchini for putting together the awesome ASN.1 online decoder that allowed me debug my code and find out that ASN.1 doesn't like integer that starts with the high bit set (you have to prefix them with 0x00 in this case).

Please note that it is usually a very bad idea to put private keys in a browser, as most thing that are displayed on a web page can be stolen and a private key is probably the worst thing you could think putting on a web page.

But now, equipped with those two string representation of my key pair, I can setup my ssh connection straight from my Chromebook without having to use another OS. I am using the ssh chrome extension.

Live demo at https://js-keygen.surge.sh
Code at https://github.com/PatrickRoumanoff/js-keygen


Anonymous said...

Awesome blog. I would love to see true life prepared to walk, so please share more informative updates. Great work keeps it up. DCAPE-100 exam braindumps

Anonymous said...

Hey people! If some of you really necessity some assistance with essya adn homewrok you can ask this guys for help! So dont be shy adn check this personal statement writing company out! Appreciate your day adn pleased new year! Like it!

Hudsonchris said...

Elegance in accessories can be done by using Goldsmith Voucher Codes! If you are someone who is looking for something unique and timeless, then this could be the perfect place for you; they have a huge collection of fine jewelry, timepieces and other accessories. Coming across Goldsmith Voucher Codes will give you an opportunity to check their wide range at low price rates. Whether it is an engagement ring or necklace or bracelet or even luxury watch – everything has been made with perfection at Goldsmith’s shop so that each piece carries its own unique story on its surface! These Voucher Codes should come in handy while making your purchase decision; just imagine how much money you could save if only you used them during your shopping spree? You can either decorate yourself with these vouchers or find the perfect gift and save some cash.

Rose C said...

Good poost